Effect Of Intrusion Detection on Reliability of Mission-Oriented Mobile Group Systems in Mobile Ad Hoc Networks Author: J.H. Cho, I.R. Chen and P.G. Feng IEEE Transactions on Reliability, Vol. 59, No. 1, 2010, pp [P1] (4/6 - Presented by R. Mitchell, C. Jian, and A.H. Saoud)
Outline Introduction (A.H. Saoud) System Model (A.H. Saoud) Performance Model (R. Mitchell) Parameterization (R. Mitchell) Numerical Results, and Analysis (C. Jian) Applicability & Conclusion (C. Jian) 2
Introduction Analyzing the effect of intrusion detection system (IDS) techniques on the reliability of a mission-oriented group communication in mobile ad hoc networks. Knowing design conditions for employing intrusion detection system (IDS) techniques that can enhance the reliability, and thus prolong the lifetime of GCS. Limitations. Techniques (prevention, detection, recovery). 3
Introduction Applying model-based quantitative analysis to security analysis. MTTSF is a measure to reflect the expected system lifetime, representing a measure against loss of service availability, or system integrity. Identify the optimal rate at which IDS should be executed to maximize the system lifetime. 4
Introduction Consider the effect of security threats, and counter IDS techniques on system lifetime of a mission-oriented GCS in MANETs. Mathematical models to identify the optimal intrusion detection rate at which MTTSF is maximized through analyzing the tradeoff between positive and negative effects of IDS. Show that the analysis methodology developed is generally applicable to varying network conditions. 5
System Model The notion of a mobile group is defined based on “connectivity.” The GCS, and its constituent mobile groups are “mission-oriented” Mission execution is an application-level goal built on top of connectivity-oriented group communications. leave rate, rejoin rate, Mobility rate /( + ) probability node is in any group /( + ) probability node is not in any group 6
System Model - Confidentiality Shared symmetric (group) key for secure group communications, to encrypt the message sent by a member to others in the group for confidentiality. Rekeying upon group member join/leave/eviction, or group partition/merge events to preserve secrecy. Group Diffie-Hellman (GDH), a contributory key agreement protocol, used for group key rekeying for decentralized control, and to eliminate a single point of failure. Identify optimal intrusion detection intervals to maximize MTTSF, leading to improved service availability. 7
System Model - Authentication Each member has a private key, and public key, available for authentication. The public keys of all group members preloaded into every node. No certificate authority (CA), or key revocation. A node’s public key therefore serves as the identifier of the node 8
System Model - IDS Host-based IDS, each node performs local detection to determine if a neighboring node has been compromised. The effectiveness of IDS techniques applied: the false negative probability (P1), and false positive probability (P2). Voting-based IDS: m nodes each preinstalled with host-based IDS -ve (a) evicting good nodes by always voting “no” to good nodes (b) keeping bad nodes in the system by al- ways voting “yes” to bad nodes. 9
System Model –IDS Tolerance False negative probability, and false positive probability. Calculated based on (a) the per-node false negative, and positive probabilities of host-based IDS in each node; (b) the number of vote-participants selected to vote for or against a target node. (c) an estimate of the current number of compromised nodes For the selection of participants, each node periodically exchanges its routing information, location, and identifier with its neighboring nodes. 10
System Model – Tolerance 2 With respect to a target node, all neighbor nodes that are within a number of hops from the target node are candidates as vote- participants. A coordinator is selected randomly by introducing a hashing function that takes in the identifier of a node concatenated with the current location of the node as the hash key. The node with the smallest returned hash value would then become the coordinator 11
System Model – Tolerance 3 Coordinator selects m nodes randomly and broadcasts the list of m nodes. Any node not following the protocol raises a flag as a potentially compromised node, and may get itself evicted when it is being evaluated as a target node. The vote-participants are known to other nodes, and based on votes received, they can determine whether or not a target node is to be evicted. 12
System Model – Failure Def System Failure Definition 1 (SF1), which is when the GCS fails when any mobile group fails; System Failure Definition 2 (SF2), which is when the GCS fails when all mobile groups fail. Evaluation of the effect of the two system failure definitions on the MTTSF of the system. 13
System Module – Failure Con. Condition 1 (C1): undetected member requests and obtains data using the group key. (leading to the loss of system integrity Condition 2 (C2):more than 1/3 of group member nodes are compromised, but undetected by IDS. This failure condition follows the Byzantine Failure model (loss of availability of system service). 14
System Model - Connectivity Single hop, single group, not experiencing group merge or partition events. SF1 and SF2 are the same. Multi-hops so that there are multiple groups in the system due to group partition/merge. 15
System Module – Reliability MTTSF: indicates the lifetime of the GCS before it fails. A GCS fails when one mobile group fails, or when all mobile groups fail in the mission-oriented GCS, as defined by SF1 or SF2. a mobile group fails when either C1 or C2 is true. A lower MTTSF implies a faster loss of system integrity, or availability. 16
Outline Introduction (A.H. Saoud) System Model (A.H. Saoud) Performance Model (R. Mitchell) Parameterization (R. Mitchell) Numerical Results, and Analysis (C. Jian) Applicability & Conclusion (C. Jian) 17
Performance Model SPN Places Transitions Review 18
19
Places groups N G uncompromised members T m undetected compromised nodes UC m evicted nodes DC m well detected compromised false detected uncompromised security failure GF absorbing 20
Transitions group partition T PAR group merge T MER member compromise T CP false detection T FA confidentiality violation (C1) T DRQ rate = λ q · mark(UC m ) · p1 well detection T IDS rekey T RK 21
Review Why is T DRQ rate scaled by p1? Where is the Byzantine failure (C2) transition into GF? T BYZ from UC m with multiplicity mark(T m ) / 2 Derive SF2 reward model 22
Parameterization T RK rate T CP rate IDS interval δ P fp and P fn 23
T RK rate For one group: b GDH / datalink rate For multiple groups: 3b GDH (N-1) / datalink rate 24
T CP rate adversary becomes more aggressive when they have the upper hand λ c · (mark(T m ) + mark(UC m ) / mark(T m )) 25
IDS interval δ IDS becomes more aggressive as it detects more compromised nodes (T IDS ) -1 · (N init / (mark(T m ) + mark(U cm )) 26
27
Outline Introduction (A.H. Saoud) System Model (A.H. Saoud) Performance Model (R. Mitchell) Parameterization (R. Mitchell) Numerical Results, and Analysis (C. Jian) Applicability & Conclusion (C. Jian) 28
Parameterization & Metric MTTSF IDS interval (T IDS )Single-hop 5s sSF1=SF2 Multi-hop 5s sSF1, SF2 # of vote-participants (m)3,5,7 group communication rate q 1/30s 1/1min 1/2min 1/4min 1/8min base compromising rate c 1/3h 1/6h 1/12h 1/d 1/2d 29
Tids on MTTSF under m (1) Optimal T IDS increasing MTTSF as T IDS increases, negative effects of IDS are mostly due to false positives decreasing MTTSF as T IDS increases, more compromised nodes will remain in the system 30
Tids on MTTSF under m (2) large m reduce the possibility of collusion by compromised nodes, thus get high MTTSF, small m, the false alarm probability is relative large, resulting in a small MTTSF 31
Tids on MTTSF under m (3) MTTSF in single-hop is comparatively higher than that in multi-hop due to the difference of node density (adverse effect) MTTSF under SF2 > MTTSF under SF1 32
Sensitivity of MTTSF on q(1) q is low, a high MTTSF, q is high, a low MTTSF depends on the frequency of data-leak attack q increases, optimal T IDS becomes smaller the adverse effect of false positives dominates when T IDS is sufficiently small 33
Sensitivity of MTTSF on q(2) Optimal TIDS in single-hop < Optimal T IDS in multi-hop, because single-hop need to perform IDS more frequently to prevent potentially more compromised nodes MTTSF under SF2 > MTTSF under SF1 34
Sensitivity of MTTSF on c (1) IDS is more effective when c is sufficiently low 35
Sensitivity of MTTSF on c (2) single-hop MANETs have higher MTTSF because more members exist in single- hop MANETs the optimal T IDS is smaller in single-hop MANETs under identical conditions because the system tends to execute IDS more frequently 36
Conclusion a mathematic model input: operational conditions, system failure definitions, attacker behaviors output: the optimal rate to execute intrusion detection to enhance the system reliability of GCS results TIDS , as m , node density or group size , q c 37
Questions?